100 likes | 115 Views
Practical lessons learned as the Principal Security Officer in systems at the Social Security Administration. Learn how to assess, network, communicate, and stay informed to effectively sell your security program. Enhance your networking skills, communicate with senior management, and keep yourself well-informed to succeed. Develop strategies to sell security, stay informed, and share knowledge efficiently. Empower yourself with effective communication techniques and be proactive in enhancing security awareness.
E N D
Tips and Ideas to Help Sell Your Security Program Practical Lessons Learned as the Principal Security Officer in Systems at the Social Security Administration
Agenda for This Talk • Periodically, assess the health of your security program • Network to maximize your resources • Stay abreast of new governing directives, emerging technologies, audit reports… • Communicate with management regularly • Let KISS be the rule for all briefings and presentations to sell your security program
Determine the Security Health of Your Work Environment • Know your management’s expectations – Check periodically because it is not static • Review previous audits, reviews, etc. that can help you determine known challenges • Depending on your scope of responsibility and authority, make a list of things to do and/or delegate to others based on NEED • Keep management abreast of security accomplishments/challenges/key changes
Networking is Important • Establish and maintain internal/external networks – peers are a valuable asset • Find ways to partner with managers and other key people outside of security staff • When you have more to accomplish than the resources available, be creative in finding others who will benefit from project • Share the glory and show your gratitude in ways that COUNT to the recipient!
Stay Informed • Maintain primary references and know where/how/who to find secondary sources • Basic KSAs are needed to perform well • Stay tuned to NIST, GAO, OMB, OIG, etc. • Keep alert about new projects, challenges, organizational changes, policies, laws, etc. • Read about new technologies/techniques • Review audit reports, security reviews, etc.
Communicating with Senior Management • Communicate at the level of relevance • Communicate regularly by being creative • Focus on the business case vs. penalty • KISS test all briefings, be specific, never mention a problem without solutions, ask open questions and seek council/advice • Always include some good news • Be prepared and provide timely follow-up
Selling Security • Document substantive security briefings as a security awareness activity. • Meet program/project managers regularly to assist them in assessing risks, knowing their security responsibilities, etc. • Customize interesting awareness activities to meet the needs of the audience • Be committed, enthusiastic, simplistic, and relevant to real world needs/experiences
Stay Informed and Share knowledge Willingly • You may need to do homework again! • Stay focused on the business reasons for mitigating risks vs. the legal requirements • Efficient, almost non-disruptive strategies to address weaknesses are easier to sell • Seek innovative ways to teach the ABCs of security outside the classroom setting • A series of short relevant briefings may be easier to sell than a lengthy training class
Concluding Thoughts • A positive attitude and your willingness to make all communications relevant are essential • Routinely sharing articles and websites of potential interest are best when accompanied by a synopsis and comment on relevance. • Communications are often better late in the day • Volunteer: join project teams, prepare briefings on security related documents, sell yourself as one who prevents, detects and solves problems!